The Basics of Cross-Site Scripting (XSS)

Begin Learning Cyber Security for FREE Now!

Cross-site scripting (XSS) is a client-side attack where an attacker performs malicious script (JavaScript) injection into a web application and/or web site. Then the malicious payload is executed in user’s browser that visited a compromised page. Be aware that this malicious script/code appears to be a part of the web page.

Types of XSS

Persistent – This type of XSS requires an attacker to locate a vulnerable web application and then inject a malicious code to be stored on the server. The malicious code is not executed immediately.

Reflected – This type of XSS occurs when a malicious script is reflected off of a web application and/or site back to the browser of a user that trusted a web site they visited.

DOM-Based (Document Object Model)– This type of XSS occurs when malicious code is being able to manipulate the page’s DOM. This attack is executed on the client side. This type of XSS is least common. Be aware that both persistent and reflected XSS types are executed on the server side.

Popular types of attacks with XSS

Cookie/session theft

To steal your current session and do things on your behalf.

Redirection to a phishing web site

To steal your credentials

Execution of exploits discovered in a web browser

Install malware on the PC

The simple test to check for reflected XSS

Locate input fields

Ex. A web form (First name, last name, etc)

Create input data

<script>alert(Vulnerable to XSS)</script>

“Vulnerable to XSS” box reflected on the web page – if the page is vulnerable.

This is just an alert box demonstrating that the application is vulnerable to XSS. This itself does not present any threat. However, think about what an attacker could do after discovering that particular web application/site is vulnerable to XSS. The limit is their creativity.

How to prevent XSS

Input validation – Validate user input using a blacklist or a whitelist on the server side. Client-side validation cannot be trusted as it can be easily bypassed.

Escaping – Conversion of characters to its escape sequence. For example, a “<” to be converted to “&lt;”.

To conclude, I want to drive one very important point home – ALL data that is received by your application must be treated as it was coming from an untrusted source.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.